Tapan Kumar Jha
Keywords:
Web Application Penetration
Testing, VAPT, OWASP Top 10, Dynamic
Analysis, Automated Scanners, Comparative
Study
Abstract:
Web applications increasingly serve
as critical infrastructure, yet remain
disproportionately vulnerable to cyber-attacks.
This paper presents a comparative analysis of
modern penetration testing (VAPT) tools—
both open-source and commercial—with a
focus on detection efficacy, coverage of the
OWASP Top 10, false-positive rates,
performance, usability, and cost. A selection of
tools (Skipfish, OWASP ZAP, Burp Suite Pro,
W3af, Qualys WAS, and Fortify WebInspect)
are reviewed through data drawn from recent
peer-reviewed studies, benchmarks on
standardized testbeds like bWAPP, and
industry reports. Findings indicate that while
Burp Suite Pro leads for comprehensive
detection in commercial settings, OWASP
ZAP stands out among free tools. Skipfish
offers high-speed coverage, but manual testing
remains essential for business-logic flaws. The
paper discusses each tool’s strengths,
limitations, and areas for improvement—
including AI integration, reduced noise,
improved logic-flaw detection, and
standardized benchmarking. Future directions
stress a hybrid testing approach combining
automation and human expertise.
|

International Journal of Recent Research and Review
ISSN: 2277-8322
Vol. XVII, Issue 4
December 2024
|
PDF View
PUBLISHED
December 2024
ISSUE
Vol. XVII, Issue 4
SECTION
Articles
|